From f6bbb5b67d9e3ff3e3f9e45282ed7551e7fff793 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Thu, 26 Jan 2006 17:34:57 +0000 Subject: [PATCH] FIPS related updates for Windows build. Only build fipscanister.o from the GMAKE target. Use precompiled fipscanister.o from other targets. Update fipslink.pl script to check fipscanister.o and fips_premain.c hashes. --- util/fipslink.pl | 37 ++++++++++++++++++++++++----- util/mk1mf.pl | 53 +++++++++++++++++++++++++++++++----------- util/pl/VC-32-GMAKE.pl | 33 ++++++++++++++++---------- util/pl/VC-32.pl | 6 +++-- 4 files changed, 95 insertions(+), 34 deletions(-) diff --git a/util/fipslink.pl b/util/fipslink.pl index aa9928c053..5b9466984e 100644 --- a/util/fipslink.pl +++ b/util/fipslink.pl @@ -12,8 +12,9 @@ sub check_env } -my ($fips_cc,$fips_cc_args, $fips_link,$fips_target) - = check_env("FIPS_CC", "FIPS_CC_ARGS", "FIPS_LINK", "FIPS_TARGET"); +my ($fips_cc,$fips_cc_args, $fips_link,$fips_target, $fips_libdir) + = check_env("FIPS_CC", "FIPS_CC_ARGS", "FIPS_LINK", "FIPS_TARGET", + "FIPS_LIBDIR"); @@ -26,9 +27,14 @@ if (exists $ENV{"FIPS_PREMAIN_DSO"}) $fips_premain_dso = ""; } +check_hash("fips_premain.c"); +check_hash("fipscanister.o"); -print "$fips_cc $fips_cc_args\n"; -system "$fips_cc $fips_cc_args"; + +print "Integrity check OK\n"; + +print "$fips_cc $fips_cc_args $fips_libdir/fips_premain.c\n"; +system "$fips_cc $fips_cc_args $fips_libdir/fips_premain.c"; die "First stage Compile failure" if $? != 0; print "$fips_link @ARGV\n"; @@ -42,8 +48,8 @@ chomp $fips_hash; die "Get hash failure" if $? != 0; -print "$fips_cc -DHMAC_SHA1_SIG=\\\"$fips_hash\\\" $fips_cc_args\n"; -system "$fips_cc -DHMAC_SHA1_SIG=\\\"$fips_hash\\\" $fips_cc_args"; +print "$fips_cc -DHMAC_SHA1_SIG=\\\"$fips_hash\\\" $fips_cc_args $fips_libdir/fips_premain.c\n"; +system "$fips_cc -DHMAC_SHA1_SIG=\\\"$fips_hash\\\" $fips_cc_args $fips_libdir/fips_premain.c"; die "Second stage Compile failure" if $? != 0; @@ -51,3 +57,22 @@ print "$fips_link @ARGV\n"; system "$fips_link @ARGV"; die "Second stage Link failure" if $? != 0; +sub check_hash + { + my ($filename) = @_; + my ($hashfile, $hashval); + + open(IN, "${fips_libdir}/${filename}.sha1") || die "Cannot open file hash file ${fips_libdir}/${filename}.sha1"; + $hashfile = ; + close IN; + $hashval = `${fips_libdir}/fips_standalone_sha1.exe ${fips_libdir}/$filename`; + chomp $hashfile; + chomp $hashval; + $hashfile =~ s/^.*=\s+//; + $hashval =~ s/^.*=\s+//; + die "Invalid hash syntax in file" if (length($hashfile) != 40); + die "Invalid hash received for file" if (length($hashval) != 40); + die "***HASH VALUE MISMATCH FOR FILE $filename ***" if ($hashval ne $hashfile); + } + + diff --git a/util/mk1mf.pl b/util/mk1mf.pl index e552d02905..2889782bef 100755 --- a/util/mk1mf.pl +++ b/util/mk1mf.pl @@ -13,6 +13,9 @@ $banner="\t\@echo Building OpenSSL"; local $zlib_opt = 0; # 0 = no zlib, 1 = static, 2 = dynamic local $zlib_lib = ""; +my $fips_canister_path = ""; +my $fipslibdir = "fipslib"; + open(IN,") { $ssl_version=$1 if (/^VERSION=(.*)$/); @@ -111,6 +114,8 @@ $tmp_def="tmp"; $mkdir="-mkdir"; $mkcanister="ld -r -o"; +$ex_build_targets = ""; + ($ssl,$crypto)=("ssl","crypto"); $ranlib="echo ranlib"; @@ -301,8 +306,11 @@ for (;;) $uc =~ s/^lib(.*)\.a/$1/; $uc =~ tr/a-z/A-Z/; } - $lib_nam{$uc}=$uc; - $lib_obj{$uc}.=$libobj." "; + if (($uc ne "FIPS") || $fips_canister_build) + { + $lib_nam{$uc}=$uc; + $lib_obj{$uc}.=$libobj." "; + } } last if ($val eq "FINISHED"); $lib=""; @@ -348,6 +356,13 @@ for (;;) } close(IN); +if ($fips_canister_path eq "") + { + $fips_canister_path = "\$(FIPSLIB_D)${o}fipscanister.o"; + } + + $ex_build_targets .= "\$(FIPSLIB_D)${o}\$(E_PREMAIN_DSO)$exep" if ($fips_canister_build); + $defs= <<"EOF"; # This makefile has been automatically generated from the OpenSSL distribution. # This single makefile will build the complete OpenSSL distribution and @@ -428,6 +443,10 @@ TMP_D=$tmp_dir INC_D=$inc_dir INCO_D=$inc_dir${o}openssl +# Directory containing FIPS module + +FIPSLIB_D=$fipslibdir + CP=$cp RM=$rm RANLIB=$ranlib @@ -463,7 +482,7 @@ INCL_D=\$(TMP_D) O_SSL= \$(LIB_D)$o$plib\$(SSL)$shlibp O_CRYPTO= \$(LIB_D)$o$plib\$(CRYPTO)$shlibp -O_FIPSCANISTER= \$(LIB_D)${o}fipscanister$obj +O_FIPSCANISTER= $fips_canister_path SO_SSL= $plib\$(SSL)$so_shlibp SO_CRYPTO= $plib\$(CRYPTO)$so_shlibp L_SSL= \$(LIB_D)$o$plib\$(SSL)$libp @@ -485,7 +504,7 @@ LIBS_DEP=\$(O_CRYPTO) \$(O_SSL) EOF $rules=<<"EOF"; -all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) headers lib exe +all: banner \$(TMP_D) \$(BIN_D) \$(TEST_D) \$(LIB_D) \$(INCO_D) \$(FIPSLIB_D) headers lib exe $ex_build_targets banner: $banner @@ -508,6 +527,9 @@ $banner \$(INC_D): \$(MKDIR) \$(INC_D) +\$(FIPSLIB_D): + \$(MKDIR) \$(FIPSLIB_D) + headers: \$(HEADER) \$(EXHEADER) @ @@ -597,21 +619,19 @@ $rules.=&do_compile_rule("\$(OBJ_D)",$e_exe,'-DMONOLITH $(APP_CFLAGS)'); # Special case rules for fips_start and fips_end fips_premain_dso -if ($fips) +if ($fips && $fips_canister_build) { $rules.=&cc_compile_target("\$(OBJ_D)${o}fips_start$obj", "fips${o}fips_canister.c", "-DFIPS_START \$(SHLIB_CFLAGS)"); $rules.=&cc_compile_target("\$(OBJ_D)${o}fips_end$obj", "fips${o}fips_canister.c", "\$(SHLIB_CFLAGS)"); + $rules.=&cc_compile_target("\$(OBJ_D)${o}fips_standalone_sha1$obj", + "fips${o}sha${o}fips_standalone_sha1.c", "\$(SHLIB_CFLAGS)"); $rules.=&cc_compile_target("\$(OBJ_D)${o}\$(E_PREMAIN_DSO)$obj", "fips${o}fips_premain.c", "-DFINGERPRINT_PREMAIN_DSO_LOAD \$(SHLIB_CFLAGS)"); - $rules.=&cc_compile_target("\$(OBJ_D)${o}fips_standalone_sha1$obj", - "fips${o}sha${o}fips_standalone_sha1.c", "\$(SHLIB_CFLAGS)"); } - - foreach (values %lib_nam) { $lib_obj=$lib_obj{$_}; @@ -696,12 +716,13 @@ if ($fips) { $rules.= &do_lib_rule("\$(CRYPTOOBJ) \$(O_FIPSCANISTER)", "\$(O_CRYPTO)",$crypto,$shlib, "\$(SO_CRYPTO)", - "0xFB00000", "\$(BIN_D)$o\$(E_PREMAIN_DSO)$exep", + "0xFB00000", "\$(FIPSLIB_D)$o\$(E_PREMAIN_DSO)$exep", "fips${o}fips_premain.c"); } else { $rules.= &do_lib_rule("\$(CRYPTOOBJ) \$(O_FIPSCANISTER)", +# $rules.= &do_lib_rule("\$(CRYPTOOBJ)", "\$(O_CRYPTO)",$crypto,$shlib,"\$(SO_CRYPTO)", ""); } } @@ -712,12 +733,16 @@ if ($fips) } -if ($fips) +if ($fips && $fips_canister_build) { - $rules.= &do_rlink_rule("\$(O_FIPSCANISTER)", "\$(OBJ_D)${o}fips_start$obj \$(FIPSOBJ) \$(OBJ_D)${o}fips_end$obj", "\$(BIN_D)${o}fips_standalone_sha1$exep"); - $rules.=&do_link_rule("\$(BIN_D)$o\$(E_PREMAIN_DSO)$exep","\$(OBJ_D)${o}\$(E_PREMAIN_DSO)$obj \$(CRYPTOOBJ) \$(O_FIPCANISTER)","","\$(EX_LIBS) \$(O_FIPSCANISTER)"); - $rules.=&do_link_rule("\$(BIN_D)${o}fips_standalone_sha1$exep","\$(OBJ_D)${o}fips_standalone_sha1$obj \$(OBJ_D)${o}fips_sha1dgst$obj","","", 1); + $rules.= &do_rlink_rule("\$(O_FIPSCANISTER)", "\$(OBJ_D)${o}fips_start$obj \$(FIPSOBJ) \$(OBJ_D)${o}fips_end$obj", "\$(FIPSLIB_D)${o}fips_standalone_sha1$exep", "") if $fips_canister_build; + $rules.=&do_link_rule("\$(FIPSLIB_D)${o}\$(E_PREMAIN_DSO)$exep","\$(OBJ_D)${o}\$(E_PREMAIN_DSO)$obj \$(O_CRYPTO)","","\$(EX_LIBS)", 1); + } + + $rules.=&do_link_rule("\$(FIPSLIB_D)${o}fips_standalone_sha1$exep","\$(OBJ_D)${o}fips_standalone_sha1$obj \$(OBJ_D)${o}fips_sha1dgst$obj","","", 1); +if ($fips) + { $rules.=&do_link_rule("\$(BIN_D)$o\$(E_EXE)$exep","\$(E_OBJ)","\$(LIBS_DEP)","\$(L_LIBS) \$(EX_LIBS)",0,"\$(BIN_D)$o\$(E_EXE)$exep"); } else diff --git a/util/pl/VC-32-GMAKE.pl b/util/pl/VC-32-GMAKE.pl index 3d25165e83..be4a11db9d 100644 --- a/util/pl/VC-32-GMAKE.pl +++ b/util/pl/VC-32-GMAKE.pl @@ -14,6 +14,8 @@ $rm='rm'; $zlib_lib="zlib1.lib"; +$fips_canister_build = 1 if $fips; + # C compiler stuff $cc='cl'; $cflags=' -MD -W3 -WX -G5 -Ox -O2 -Ob2 -Gs0 -GF -Gy -nologo -DOPENSSL_SYSNAME_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -DDSO_WIN32'; @@ -21,9 +23,9 @@ $cflags.=' -D_CRT_SECURE_NO_DEPRECATE'; # shut up VC8 $lflags="-nologo -subsystem:console -machine:I386 -opt:ref"; $mlflags=''; -$out_def="out32"; -$tmp_def="tmp32"; -$inc_def="inc32"; +$out_def="gmout32"; +$tmp_def="gmtmp32"; +$inc_def="gminc32"; if ($debug) { @@ -98,8 +100,8 @@ if ($shlib) $mlflags.=" $lflags -dll"; # $cflags =~ s| -MD| -MT|; $lib_cflag=" -D_WINDLL"; - $out_def="out32dll"; - $tmp_def="tmp32dll"; + $out_def="gmout32dll"; + $tmp_def="gmtmp32dll"; } $cflags.=" -Fd$out_def"; @@ -137,12 +139,13 @@ sub do_lib_rule $ex.=" $zlib_lib" if $zlib_opt == 1 && $target =~ /O_CRYPTO/; if (defined $fips_get_sig) { - $ret.="$target: $objs $fips_get_sig\n"; + $ret.="$target: \$(O_FIPSCANISTER) $objs $fips_get_sig\n"; $ret.="\tFIPS_LINK=\$(LINK) "; $ret.="FIPS_CC=\$(CC) "; - $ret.="FIPS_CC_ARGS=\"-Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c \$(SRC_D)${o}fips${o}fips_premain.c\" "; + $ret.="FIPS_CC_ARGS=\"-Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\" "; $ret.="FIPS_PREMAIN_DSO=$fips_get_sig "; $ret.="FIPS_TARGET=$target "; + $ret.="FIPS_LIBDIR=\$(FIPSLIB_D) "; $ret.="\$(FIPSLINK) \$(MLFLAGS) $base_arg $efile$target "; $ret.="-def:ms/${Name}.def \$(SHLIB_EX_OBJ) $objs "; $ret.="\$(OBJ_D)${o}fips_premain.obj $ex\n\n"; @@ -163,24 +166,27 @@ sub do_link_rule local($ret,$_); $file =~ s/\//$o/g if $o ne '/'; $n=&bname($targer); - $ret.="$target: $files $dep_libs\n"; if ($standalone) { + $ret.="$target: $files $dep_libs\n"; $ret.="\t\$(LINK) \$(LFLAGS) $efile$target "; $ret.="$files $libs\n\n"; } elsif ($fips && !$shlib) { + $ret.="$target: \$(O_FIPSCANISTER) $files $dep_libs\n"; $ret.="\tFIPS_LINK=\$(LINK) "; $ret.="FIPS_CC=\$(CC) "; - $ret.="FIPS_CC_ARGS=\"-Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c \$(SRC_D)${o}fips${o}fips_premain.c\" "; + $ret.="FIPS_CC_ARGS=\"-Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\" "; $ret.="FIPS_PREMAIN_DSO= "; $ret.="FIPS_TARGET=$target "; + $ret.="FIPS_LIBDIR=\$(FIPSLIB_D) "; $ret.=" \$(FIPSLINK) \$(LFLAGS) $efile$target "; $ret.="\$(APP_EX_OBJ) $files \$(OBJ_D)${o}fips_premain.obj $libs\n\n"; } else { + $ret.="$target: $files $dep_libs\n"; $ret.="\t\$(LINK) \$(LFLAGS) $efile$target "; $ret.="\$(APP_EX_OBJ) $files $libs\n\n"; } @@ -190,14 +196,17 @@ sub do_link_rule sub do_rlink_rule { - local($target,$files,$check_hash)=@_; + local($target,$files,$check_hash, $deps)=@_; local($ret,$_); $file =~ s/\//$o/g if $o ne '/'; $n=&bname($targer); - $ret.="$target: $check_hash $files $dep_libs\n"; + $ret.="$target: $check_hash $files $deps\n"; $ret.="\t\$(PERL) util${o}checkhash.pl -chdir fips -program_path ..$o$check_hash\n"; - $ret.="\t\$(MKCANISTER) $target $files\n\n"; + $ret.="\t\$(MKCANISTER) $target $files\n"; + $ret.="\t$check_hash $target > $target.sha1\n"; + $ret.="\t\$(CP) fips${o}fips_premain.c \$(FIPSLIB_D)\n"; + $ret.="\t$check_hash \$(FIPSLIB_D)${o}fips_premain.c > \$(FIPSLIB_D)${o}fips_premain.c.sha1\n\n"; return($ret); } diff --git a/util/pl/VC-32.pl b/util/pl/VC-32.pl index 05d73d7d10..6c7e4bcbee 100644 --- a/util/pl/VC-32.pl +++ b/util/pl/VC-32.pl @@ -137,9 +137,10 @@ sub do_lib_rule $ret.="$target: $objs $fips_get_sig\n"; $ret.="\tSET FIPS_LINK=\$(LINK)\n"; $ret.="\tSET FIPS_CC=\$(CC)\n"; - $ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c \$(SRC_D)${o}fips${o}fips_premain.c\n"; + $ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\n"; $ret.="\tSET FIPS_PREMAIN_DSO=$fips_get_sig\n"; $ret.="\tSET FIPS_TARGET=$target\n"; + $ret.="\tSET FIPS_LIBDIR=\$(FIPSLIB_D)\n"; $ret.="\t\$(FIPSLINK) \$(MLFLAGS) $base_arg $efile$target "; $ret.="/def:ms/${Name}.def @<<\n \$(SHLIB_EX_OBJ) $objs "; $ret.="\$(OBJ_D)${o}fips_premain.obj $ex\n<<\n"; @@ -170,9 +171,10 @@ sub do_link_rule { $ret.="\tSET FIPS_LINK=\$(LINK)\n"; $ret.="\tSET FIPS_CC=\$(CC)\n"; - $ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c \$(SRC_D)${o}fips${o}fips_premain.c\n"; + $ret.="\tSET FIPS_CC_ARGS=/Fo\$(OBJ_D)${o}fips_premain.obj \$(SHLIB_CFLAGS) -c\n"; $ret.="\tSET FIPS_PREMAIN_DSO=\n"; $ret.="\tSET FIPS_TARGET=$target\n"; + $ret.="\tSET FIPS_LIBDIR=\$(FIPSLIB_D)\n"; $ret.=" \$(FIPSLINK) \$(LFLAGS) $efile$target @<<\n"; $ret.=" \$(APP_EX_OBJ) $files \$(OBJ_D)${o}fips_premain.obj $libs\n<<\n"; } -- 2.25.1